With all this knowledge, transitioning to the cloud should be easy. Right?

Wrong. Two common misconceptions will derail your move to the cloud

The cloud provider will take care of security

On-premises security tools work just fine in the cloud

So, if you’re about to join the cloud revolution, start by answering these questions: how are security responsibilities shared between clients and cloud vendors? And why do on-premises security solutions fail in the cloud?

Cloud Models and Shared Security

A cloud model defines the services provided by the provider. It also defines how the provider splits security responsibilities with customers. Sometimes the split is obvious: cloud providers are, of course, tasked with physical security for their facilities. Cloud customers, obviously, control which users can access their apps and services. After that the picture can get a little murky.

The following three cloud models don’t comprehensively account for every cloud variation, but they help clarify who is responsible for what:

Software-as-a-Service (SaaS): SaaS providers are responsible for the hardware, servers, databases, data, and the application itself. Customers subscribe to the service and end users interact directly with the application(s) provided by the SaaS vendor. Salesforce and Office365 are two well-known SaaS offerings.

Platform as a Service (PaaS): PaaS vendors offer a turnkey environment for higher-level programming. The vendor manages the hardware, servers, and databases while the PaaS customer writes the code needed to deliver custom applications. Engine Yard and Google App Engine are examples of PaaS solutions.

Infrastructure as a Service (IaaS): An IaaS environment lets customers create and operate an end-to-end virtualized infrastructure. The IaaS vendor manages all physical aspects of the service as well as the virtualization services needed to build solutions. Customers are responsible for everything else - the applications, workloads, or containers deployed in the cloud. Amazon Web Services (AWS) and Microsoft Azure are popular IaaS solutions.

The key to understanding shared security lies in understanding who makes the decisions about a specific aspect of the cloud solution. For example, Microsoft calls the shots on Excel development for their Office 365 SaaS solution. Vulnerabilities in Excel are, therefore, Microsoft’s responsibility. In the same spirit, security vulnerabilities in an app you create on a PaaS service are your responsibility - but operating system vulnerabilities are not.

This all seems like common sense - but it means you’ll need to understand your cloud model to understand your security responsibilities. If you’re securing an IaaS solution you’ll need to take a broad perspective. Everything from server configurations to container provenance can impact your security posture - and they are your responsibility.

Security “Lift and Shift”

An IaaS solution can virtually replicate on-premises infrastructure in the cloud. So lifting and shifting your on-premises security to the cloud may seem like the best way to get up and running. But that approach has led many cloud transitions to ruin. Why? The cloud needs different security approaches for three important reasons:

Change Velocity

Hardware limits how fast a traditional data center can change. The cloud eliminates physical constraints and changes how we think about servers and storage. Cloud solutions, for example, scale by instantly and automatically bringing new servers online. But for traditional security tools, this cloud velocity is chaos. Metered usage costs rapidly spin out of control. Configuration and policy management becomes an overwhelming task. Interdependent security processes become brittle and unreliable.

Network Limitations

On-premises data centers take advantage of stable networks to establish boundaries. In the cloud, networks are temporary resources. Virtual entities join and leave instantaneously and across geographical boundaries. Network identifiers (like IP addresses) no longer provide the same stable control points as they once did and encryption makes it harder to observe application behavior from the network. Network-centric security tools leave cloud solutions vulnerable to lateral movement by attackers.

Cloud Complexity

When the cloud removes barriers to velocity, the number of machines, servers, containers, and networks explodes. As complex as on-premises data centers can be, cloud solutions are far worse: the number of cloud entities, configuration files, event logs, locations, networks, and connections are too much for even expert human analysis. Analyzing security incidents, assessing the impact of a breach, or even simply tracing an administrator’s activities isn’t possible with traditional data center security tools.

Cloud Security Needs New Solutions

Moving to the cloud is more than a simple lift-and-shift of existing servers and apps to a different set of servers. Granted, offloading infrastructure responsibilities to your provider is a huge win. Without capital expenses and the inertia of hardware, IT organizations do more with less, faster.

Fortunately, new cloud-centric security solutions make your move to the cloud easier. Three key capabilities can keep you out of trouble as you transition: automation, an expanded focus on apps and operations (in addition to networks), and behavioral baselining.

Automation makes it possible to keep up with cloud changes (and DevOps teams) during deployment, operations, and incident investigations. Moving the security focus up the stack reduces the impact of network impermanence in the cloud and delivers better visibility into high-level application and service operations. And behavioral baselining makes short work of otherwise tedious rule and policy development.

With the right technologies, and an understanding of differences, security pros can easily make the move to the cloud.

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.